Take it from me: sitting on the sideline is no way to make it to the top. Even if ‘the top’ isn’t your destination, to experience career success in some form requires active assessment and thoughtful...

Mobile World Congress (MWC) is officially underway in beautiful Barcelona! One thing we can already tell from day one of MWC? This year, it’s all about the apps. And with that, we are excited to announce...

Last Friday, I had a great opportunity to talk to kids and parents at a local neighborhood school about how to be safe online, through the Intel Security Cyber Security for Schools Program. These events...

Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.
Lately,...

Online Safety for Kids: Go Big in Your Community

Netwire RAT Behind Recent Targeted Attacks

The Dangers of a Royal Baby: Scams Abound

Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the infamous Blackhole exploit kit.

The initial infection arrives as spam mail that contains a redirection URL in the following format:

Figure 1: Spam email.

hxxp://[infectedDomain]/[Random]/index.html

From there the user will land on a page with links to JavaScript files as in the next image:

Figure 2: Spam URL.

The first level contains the three *.js URLs that point to other infected/malicious domains. Once victims land on this page, the JavaScript files will lead them to a page like the following:

Figure 3: Blackhole landing page redirector.

The second-level URL shows us the actual landing page of the Blackhole exploit kit, which leads us to this content:

Figure 4: Customized encoded Blackhole landing page.

We have decoded the customized base64-encoded Blackhole landing page, which resulted in a “plug-in detect” JavaScript code. This is a piece of code used by Blackhole to identify which plug-ins are installed on the machine, so it can target the payload for the specific plug-in versions available in the user’s browser. The next image shows us the decoded PluginDetect.js: